With several recent high-profile security breaches directly affecting a wide variety of consumers, information security is front and center in the headlines.

Amidst all the buzz, it can be challenging to identify the valuable advice given to avoid these threats, particularly for small and medium-sized businesses. With fewer resources and less influence, many SMBs struggle with how to approach the information security space and make sense of the diverse array of information that exists. SMBs may understand the need for a strong security program, but it is not entirely obvious how they can implement one.

Although a proper approach to information security is a complex and detailed discussion, there is an appropriate first step: Looking at information security as a business function rather than a mystical, elusive topic.

Security should be treated in the same way as legal services, payroll and other business operations. For many reasons, including economies of scale, many SMBs outsource critical business functions that fall outside of their core business focus, and security should be treated in a similar manner. SMBs usually cannot dedicate their own people, process and technology to security functions, but they can purchase access to a shared pool of security resources.

Like any outsourcing decision, the SMB will want to approach the security discussion from an educated and knowledgeable perspective. At a high level, security is built fundamentally on people, process, and technology. Through in-depth discussions with security providers, SMBs can begin to understand how a provider leverages and incorporates each of these three elements. Questions that SMBs should ask include:

Are the provider’s people adequately trained, do they have the necessary skills, and are they trustworthy?

Is the provider’s process organized, well documented, timely, accurate, and does it follow industry best practices and guidance?

Does the provider’s technology support a sound and efficient operational workflow, does it enable the provider to address the modern threat landscape and does it adequately address the issues presented by the risks, threats and concerns specific to your organization?

For SMBs looking to implement security as a line item, it is important to understand what is being purchased. In addition to the points mentioned above, ask to meet the people who will be watching the henhouse. Ask them questions based on your priorities and business needs to understand how they think and what their worldview is.

Be a tough customer — after all, it is important to remember that security is about managing, reducing, mitigating, and accepting risk. While risk can never be eliminated entirely, incorporating security can help keep it to a manageable level. That endeavor begins by coming to the table as an educated consumer.

Joshua Goldfarb is chief technology officer, Emerging Technologies, at FireEye and has more than a decade of experience building, operating and running security operations centers. Previously, Goldfarb served as the chief of analysis for US-CERT, where he built and subsequently ran the network, physical media and malware analysis/forensics capabilities. Goldfarb holds both a B.A. in physics and an M.Eng. in operations research and information engineering from Cornell University.